New GPG key

Aside

I’m finally moving to more secure GPG key, replacing the more-than-decade-old 1024 bit DSA key with a new 4096 bit RSA one. I’ve uploaded the new key to the pool.sks-keyserver.net and am publishing here my transition statement (which is a complete ripoff of the one suggested by the best practice document). The transition statement is signed by my two keys, old and new.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1,SHA512

Key transition statement
========================

From: Miroslaw Baran
Date: 22/11/2014

I've recently set up a new OpenPGP key, and will be transitioning away
from my old one.

The old key will continue to be valid for some time, but i prefer all
future correspondence to come to the new one. I would also like this
new key to be re-integrated into the web of trust. This message is
signed by both keys to certify the transition.

the old key was:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pub   1024D/0x8F3B66A6FC494FC4 2000-12-06
      Key fingerprint = DDBE 8A23 7348 1CA7 FC91  56CC 8F3B 66A6 FC49 4FC4
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And the new key is:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pub   4096R/0x5931F4435518D7D3 2014-11-16 [expires: 2016-11-15]
      Key fingerprint = EDFF 6C46 1AC1 4AB2 7CC8  02C2 5931 F443 5518 D7D3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To fetch the full key from a public key server, you can simply do:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  gpg --keyserver pool.sks-keyservers.net 
    --recv-key 'EDFF 6C46 1AC1 4AB2 7CC8  02C2 5931 F443 5518 D7D3'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you already know my old key, you can now verify that the new key is
signed by the old one:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  gpg --check-sigs 'EDFF 6C46 1AC1 4AB2 7CC8  02C2 5931 F443 5518 D7D3'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you don't already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  gpg --fingerprint 'EDFF 6C46 1AC1 4AB2 7CC8  02C2 5931 F443 5518 D7D3'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you are satisfied that you've got the right key, and the UIDs match
what you expect, I'd appreciate it if you would sign my key. You can do
that by issuing the following command:

NOTE: if you have previously signed my key but did a local-only
signature (lsign), you will not want to issue the following, instead
you will want to use `--lsign-key`, and not send the signatures to the
keyserver

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  gpg --sign-key 'EDFF 6C46 1AC1 4AB2 7CC8  02C2 5931 F443 5518 D7D3'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like to receive your signatures on my key. You can either send me
an e-mail with the new signatures (if you have a functional MTA on
your system):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  gpg --export 'EDFF 6C46 1AC1 4AB2 7CC8  02C2 5931 F443 5518 D7D3' |
  gpg --encrypt -r 'EDFF 6C46 1AC1 4AB2 7CC8  02C2 5931 F443 5518 D7D3' --armor |
  mail -s 'OpenPGP Signatures' '<miroslaw+a+signatures@makabra.org>'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Additionally, I highly recommend that you implement a mechanism to keep
your key material up-to-date so that you obtain the latest revocations,
and other updates in a timely manner. You can do regular key updates by
using parcimonie to refresh your keyring. Parcimonie is a daemon that
slowly refreshes your keyring from a keyserver over Tor. It uses
a randomized sleep, and fresh tor circuits for each key. The purpose is
to make it hard for an attacker to correlate the key updates with your
keyring.

I also highly recommend checking out the excellent Riseup GPG best
practices doc, from which I stole all of the text for this transition
message: <https://we.riseup.net/debian/openpgp-best-practices>.

Please let me know if you have any questions, or problems, and sorry
for the inconvenience.

Miroslaw Baran
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlRw4toACgkQjztmpvxJT8QEDACfSHNQiQsrGEz0rN7Ri4R/Xv8V
7f8AoIspSQgBF5vmigQxPvRabAbKt2NViQIcBAEBCgAGBQJUcOLaAAoJEEkcTgNJ
juYuEy0P/2xhCLVuQN4Xe6Q9vXh5DMdgYOjI4BLl1Fr8NDncet2cpJIuzjkMYX2l
Nk4a7yg6OXQ1UOfdhd+TYcNlmnGudypnkjDqmZ7UqZp0MwwZFBbYbGw2WzH1pFqS
Rd8JIAE/9fw+VE9kBflXWaTiLPzi0CXvjVoBaN+GCnjE34o1RBUCxsnh5Xyyw3CS
EqdY800F5OV6L7fEa/QHhYqtq9URt7KSyJ+TQsuYoF6o84ReFvBou501mTUFRZrs
zgZdhMyHn/h+nr83DT2YpfFJMi+s/6tM6/jl8vetNZbwQkRwmETd3hnLmQgNHMMO
1Lt/7+I7Ed968+cVAdzKCWqswMBhOyzcJXv2D3blFBLkyTRFB1b6l/zSR5qw9T9B
51iCtcHcSAqXDyuEsmprD4/jQwOvJcwLop5E0GIMAY2sIySS/W+yNCQzNssvou40
dnq1F6P3Q04wXueT9BPWzuZcnuDUZSSQBkC9LY18nuWTU6q4Dk7ACetsHpp2mM2l
Z5+syaWt9PPWuboBlml/PN5Hj7t3AMjUfzm+5OPkIbmypV8t/3IKllHSefCiUmkU
9LObD8XcVIr71BK6W6Sb2K3RFhAHYKbw7vJXPBm/MXd2XylKj9B5NzAaYP2WA/jS
AgkSiQPpt+Ryru5Xa8ZuEmTyeY4rtwESzg8uFdl9uHKlYR+y054/
=Qi+W
-----END PGP SIGNATURE-----

To verify the signatures on the transition statement you may need first to download my new key:

  gpg --keyserver pool.sks-keyservers.net \
    --recv-key 'EDFF 6C46 1AC1 4AB2 7CC8  02C2 5931 F443 5518 D7D3'

and then execute the following:

  wget -qO - https://makabra.org/gpg-key-transition-20141122.md.asc |
    gpg --verify

If you’ve signed my old key and are happy with the result of the verification, please do consider signing my new key too.